Opened 2 weeks ago

Last modified 13 days ago

#28881 new Cleanup/optimization

Document that CommonPasswordValidator assumes all words are lower case

Reported by: Nick Farrell Owned by: nobody
Component: Documentation Version: 2.0
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by Nick Farrell)

The CommonPasswordValidator holds a set of common passwords in memory, after strip()ing any whitespace.
While validating a password, it converts it to lowercase before comparing to the set. However, the reference set was not converted to lowercase.

This is not a problem when using the default set of common passwords, as they have been preprocessed to be lowercase. However, there is nothing in the documentation indicating this preprocessing should occur.

Change History (4)

comment:1 Changed 2 weeks ago by Nick Farrell

Description: modified (diff)

comment:2 Changed 2 weeks ago by Nick Farrell

Description: modified (diff)

comment:3 Changed 2 weeks ago by Nick Farrell

Version: 1.112.0

comment:4 Changed 13 days ago by Tim Graham

Component: UncategorizedDocumentation
Summary: Common password validator does not handle case correctlyDocument that CommonPasswordValidator assumes all words are lower case
Triage Stage: UnreviewedAccepted
Type: UncategorizedCleanup/optimization

I think documenting the existing requirement for the password list to be lower case would be fine. A documentation fix would address the problem for older versions of Django and also avoid unnecessary computations for lists that are already lower case.

Note: See TracTickets for help on using tickets.
Back to Top